From 45dc1e5f6293ba71528b4f5f263cfd14c2a37e54 Mon Sep 17 00:00:00 2001 From: rjha-splunk Date: Wed, 20 Sep 2023 15:42:25 +0200 Subject: [PATCH] fix: postfilter automatic assignment --- .../conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf | 1 - .../conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf | 3 +-- .../app-postfilter-vmware_vsphere_invalidmultiline.conf | 1 - .../app-postfilter-vmware_vsphere_sdrsInjector.conf | 3 +-- .../post-filter/app-postfilter-vmware_vsphere_storageRM.conf | 3 +-- 5 files changed, 3 insertions(+), 8 deletions(-) diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf index feb66e0843..d3897c0f83 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_acs.conf @@ -39,7 +39,6 @@ block parser app-postfilter-cisco_acs() { inherit-mode(context) ) timeout(10) - persist-name("grouping-by-app-postfilter-cisco_acs") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf index 51dda02e82..d47f3ce445 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-cisco_ise.conf @@ -23,7 +23,7 @@ block parser app-postfilter-cisco_ise() { parser{ grouping-by( - scope(program) + scope(host) key("${.values.serial}") trigger("$(context-length)" >= "${.values.num}") sort-key("${.values.seq}") @@ -38,7 +38,6 @@ block parser app-postfilter-cisco_ise() { inherit-mode(context) ) timeout(10) - persist-name("grouping-by-app-postfilter-cisco_ise") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_invalidmultiline.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_invalidmultiline.conf index 89ab0bc84d..0cbe8bb1ef 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_invalidmultiline.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_invalidmultiline.conf @@ -28,7 +28,6 @@ block parser app-postfilter-vmware_vsphere_invalidmultiline() { inherit-mode(context) ) timeout(2) - persist-name("grouping-by-app-postfilter-vmware_vsphere_invalidmultiline") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_sdrsInjector.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_sdrsInjector.conf index 2c02d6e9d0..16b8dd598a 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_sdrsInjector.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_sdrsInjector.conf @@ -10,7 +10,7 @@ block parser app-postfilter-vmware_vsphere_sdrsInjector() { parser{ grouping-by( scope(program) - key('$SOURCEIP') + key('$FULLHOST') aggregate( tags("agg") value("MESSAGE" "$(implode '\n' $(list-slice 0:-1 $(context-values ${MESSAGE})))") @@ -28,7 +28,6 @@ block parser app-postfilter-vmware_vsphere_sdrsInjector() { inherit-mode(context) ) timeout(2) - persist-name("grouping-by-app-postfilter-vmware_vsphere_sdrsInjector") ); }; diff --git a/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_storageRM.conf b/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_storageRM.conf index 8c73f38c21..9c6dcb46b6 100644 --- a/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_storageRM.conf +++ b/package/etc/conf.d/conflib/post-filter/app-postfilter-vmware_vsphere_storageRM.conf @@ -10,7 +10,7 @@ block parser app-postfilter-vmware_vsphere_storageRM() { parser{ grouping-by( scope(program) - key('$SOURCEIP') + key('$FULLHOST_FROM') trigger(message('datastoreSlopeUS\[5\]')) aggregate( tags("agg") @@ -29,7 +29,6 @@ block parser app-postfilter-vmware_vsphere_storageRM() { inherit-mode(context) ) timeout(2) - persist-name("grouping-by-app-postfilter-vmware_vsphere_storageRM") ); };